diff --git a/iam-general-policies/policy.cloudforms.tf b/iam-general-policies/policy.cloudforms.tf
index 0249a2f..30a31ba 100644
--- a/iam-general-policies/policy.cloudforms.tf
+++ b/iam-general-policies/policy.cloudforms.tf
@@ -149,7 +149,7 @@ locals {
 data "aws_iam_policy_document" "cloudforms_ami" {
   # for access to remote AMI key
   dynamic "statement" {
-    for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { data.aws_arn.current.partition = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}
+    for_each = length(local.cloudforms_ami_kms_keys[data.aws_arn.current.partition]) > 0 ? { (data.aws_arn.current.partition) = local.cloudforms_ami_kms_keys[data.aws_arn.current.partition] } : {}
     iterator = c
     content {
       sid       = "AWSCloudformsAMIKeyAccess"